From 3ade29ac969506e771eedd085e8c7973d3e33e56a3120cb52a19c6f295d91225 Mon Sep 17 00:00:00 2001 From: Neil Brown Date: Mon, 22 Jul 2013 06:15:20 +0000 Subject: [PATCH 1/3] - New upstream release 1.2.8 - mostly bugfixes, many to gssd. No important new functionality - Changes to ./configure command to remove warnings - 8 more patches from upstream 'git' to fix non-trivial bugs including on CVE. OBS-URL: https://build.opensuse.org/package/show/Base:System/nfs-utils?expand=0&rev=87 --- 0001-mountd-Fix-is_subdirectory-again.patch | 81 ++++++++++++++ ...fix-to-Avoid-DNS-reverse-resolution-.patch | 102 ++++++++++++++++++ ...-preferred-realm-command-line-option.patch | 45 ++++++++ 0004-nfsiostat-restore-output-format.patch | 69 ++++++++++++ ...up-on-machine-credential-if-hostname.patch | 48 +++++++++ ...gssd-fixed-typo-in-machine-cred-name.patch | 31 ++++++ nfs-utils-1.2.7.tar.bz2 | 3 - nfs-utils-1.2.8.tar.bz2 | 3 + nfs-utils.changes | 9 ++ nfs-utils.spec | 24 ++++- 10 files changed, 408 insertions(+), 7 deletions(-) create mode 100644 0001-mountd-Fix-is_subdirectory-again.patch create mode 100644 0002-gssd-Fix-recent-fix-to-Avoid-DNS-reverse-resolution-.patch create mode 100644 0003-Fix-handling-of-preferred-realm-command-line-option.patch create mode 100644 0004-nfsiostat-restore-output-format.patch create mode 100644 0005-gssd-don-t-give-up-on-machine-credential-if-hostname.patch create mode 100644 0006-gssd-fixed-typo-in-machine-cred-name.patch delete mode 100644 nfs-utils-1.2.7.tar.bz2 create mode 100644 nfs-utils-1.2.8.tar.bz2 diff --git a/0001-mountd-Fix-is_subdirectory-again.patch b/0001-mountd-Fix-is_subdirectory-again.patch new file mode 100644 index 0000000..54c0317 --- /dev/null +++ b/0001-mountd-Fix-is_subdirectory-again.patch @@ -0,0 +1,81 @@ +From 23d3980b6cfea4e9056d9b7b81e48b4fefc645e0 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Tue, 7 May 2013 11:46:18 -0400 +Subject: [PATCH] mountd: Fix is_subdirectory again + +The problem was that is_subdirectory() would also succeed if the two +directories were the same. This is needed for path_matches() which +needs to see if the child is same-or-descendant. + +So this patch rearranges path_matches() to do the "are they the same" +test itself and only bother with is_subdirectory() if it they are not +the same. + +So now is_subdirectory() can be strict, and so can be usable for +subexport(), which needs a strong 'in subdirectory - not the same' test. + +Acked-by: J. Bruce Fields +Signed-off-by: NeilBrown +Signed-off-by: Steve Dickson +--- + utils/mountd/cache.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/utils/mountd/cache.c b/utils/mountd/cache.c +index 737927c..517aa62 100644 +--- a/utils/mountd/cache.c ++++ b/utils/mountd/cache.c +@@ -347,20 +347,26 @@ static char *next_mnt(void **v, char *p) + + static int is_subdirectory(char *child, char *parent) + { ++ /* Check is child is strictly a subdirectory of ++ * parent or a more distant descendant. ++ */ + size_t l = strlen(parent); + +- if (strcmp(parent, "/") == 0) ++ if (strcmp(parent, "/") == 0 && child[1] != 0) + return 1; + +- return strcmp(child, parent) == 0 +- || (strncmp(child, parent, l) == 0 && child[l] == '/'); ++ return (strncmp(child, parent, l) == 0 && child[l] == '/'); + } + + static int path_matches(nfs_export *exp, char *path) + { +- if (exp->m_export.e_flags & NFSEXP_CROSSMOUNT) +- return is_subdirectory(path, exp->m_export.e_path); +- return strcmp(path, exp->m_export.e_path) == 0; ++ /* Does the path match the export? I.e. is it an ++ * exact match, or does the export have CROSSMOUNT, and path ++ * is a descendant? ++ */ ++ return strcmp(path, exp->m_export.e_path) == 0 ++ || ((exp->m_export.e_flags & NFSEXP_CROSSMOUNT) ++ && is_subdirectory(path, exp->m_export.e_path)); + } + + static int +@@ -369,15 +375,13 @@ export_matches(nfs_export *exp, char *dom, char *path, struct addrinfo *ai) + return path_matches(exp, path) && client_matches(exp, dom, ai); + } + +-/* True iff e1 is a child of e2 and e2 has crossmnt set: */ ++/* True iff e1 is a child of e2 (or descendant) and e2 has crossmnt set: */ + static bool subexport(struct exportent *e1, struct exportent *e2) + { + char *p1 = e1->e_path, *p2 = e2->e_path; +- size_t l2 = strlen(p2); + + return e2->e_flags & NFSEXP_CROSSMOUNT +- && strncmp(p1, p2, l2) == 0 +- && p1[l2] == '/'; ++ && is_subdirectory(p1, p2); + } + + struct parsed_fsid { +-- +1.8.3.1.487.g3e7a5b4 + diff --git a/0002-gssd-Fix-recent-fix-to-Avoid-DNS-reverse-resolution-.patch b/0002-gssd-Fix-recent-fix-to-Avoid-DNS-reverse-resolution-.patch new file mode 100644 index 0000000..70d6f90 --- /dev/null +++ b/0002-gssd-Fix-recent-fix-to-Avoid-DNS-reverse-resolution-.patch @@ -0,0 +1,102 @@ +From c93e8d8eeafec3e3228e24dfebef113e0a79a788 Mon Sep 17 00:00:00 2001 +From: "Signed-off-by: NeilBrown" +Date: Tue, 28 May 2013 12:59:22 -0400 +Subject: [PATCH] gssd: Fix recent fix to Avoid DNS reverse resolution in gssd. + +The final version for this fix that was committed inverted the test +so makes no change in the important cases. + +The documentation didn't really help a naive user know when the new -D +flag should be used. + +And the code (once fixed) avoided DNS resolution on non-qualified names too, +which probably isn't a good idea. + +This patch fixes all three issues. + +Signed-off-by: NeilBrown +Signed-off-by: Steve Dickson +--- + utils/gssd/gssd.man | 27 ++++++++++++++++++++++----- + utils/gssd/gssd_proc.c | 18 ++++++++++-------- + 2 files changed, 32 insertions(+), 13 deletions(-) + +diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man +index 1df75c5..ac13fd4 100644 +--- a/utils/gssd/gssd.man ++++ b/utils/gssd/gssd.man +@@ -195,11 +195,28 @@ option when starting + .BR rpc.gssd . + .SH OPTIONS + .TP +-.B -D +-DNS Reverse lookups are not used for determining the +-server names pass to GSSAPI. This option will reverses that and forces +-the use of DNS Reverse resolution of the server's IP address to +-retrieve the server name to use in GSAPI authentication. ++.B \-D ++The server name passed to GSSAPI for authentication is normally the ++name exactly as requested. e.g. for NFS ++it is the server name in the "servername:/path" mount request. Only if this ++servername appears to be an IP address (IPv4 or IPv6) or an ++unqualified name (no dots) will a reverse DNS lookup ++will be performed to get the canoncial server name. ++ ++If ++.B \-D ++is present, a reverse DNS lookup will ++.I always ++be used, even if the server name looks like a canonical name. So it ++is needed if partially qualified, or non canonical names are regularly ++used. ++ ++Using ++.B \-D ++can introduce a security vulnerability, so it is recommended that ++.B \-D ++not be used, and that canonical names always be used when requesting ++services. + .TP + .B -f + Runs +diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c +index 6cd4276..b7e2bbb 100644 +--- a/utils/gssd/gssd_proc.c ++++ b/utils/gssd/gssd_proc.c +@@ -175,7 +175,6 @@ get_servername(const char *name, const struct sockaddr *sa, const char *addr) + char *hostname; + char hbuf[NI_MAXHOST]; + unsigned char buf[sizeof(struct in6_addr)]; +- int servername = 0; + + if (avoid_dns) { + /* +@@ -183,15 +182,18 @@ get_servername(const char *name, const struct sockaddr *sa, const char *addr) + * If it is an IP address, do the DNS lookup otherwise + * skip the DNS lookup. + */ +- servername = 0; +- if (strchr(name, '.') && inet_pton(AF_INET, name, buf) == 1) +- servername = 1; /* IPv4 */ +- else if (strchr(name, ':') && inet_pton(AF_INET6, name, buf) == 1) +- servername = 1; /* or IPv6 */ +- +- if (servername) { ++ int is_fqdn = 1; ++ if (strchr(name, '.') == NULL) ++ is_fqdn = 0; /* local name */ ++ else if (inet_pton(AF_INET, name, buf) == 1) ++ is_fqdn = 0; /* IPv4 address */ ++ else if (inet_pton(AF_INET6, name, buf) == 1) ++ is_fqdn = 0; /* IPv6 addrss */ ++ ++ if (is_fqdn) { + return strdup(name); + } ++ /* Sorry, cannot avoid dns after all */ + } + + switch (sa->sa_family) { +-- +1.8.3.1.487.g3e7a5b4 + diff --git a/0003-Fix-handling-of-preferred-realm-command-line-option.patch b/0003-Fix-handling-of-preferred-realm-command-line-option.patch new file mode 100644 index 0000000..07b90ff --- /dev/null +++ b/0003-Fix-handling-of-preferred-realm-command-line-option.patch @@ -0,0 +1,45 @@ +From a402f768db1dc6497cf7f592b33e142936897de2 Mon Sep 17 00:00:00 2001 +From: Maximilian Wilhelm +Date: Mon, 1 Jul 2013 11:58:13 -0400 +Subject: [PATCH] Fix handling of preferred realm command line option. + +The current implementation ignores any preferred realm specified on the +command line. Fix this behaviour and make sure the preferred realm is +used as first realm when trying to acquire a keytab entry + +Signed-off-by: Maximilian Wilhelm +Signed-off-by: Frederik Moellers +Signed-off-by: Steve Dickson +--- + utils/gssd/krb5_util.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c +index 9ef80f0..abebdcd 100644 +--- a/utils/gssd/krb5_util.c ++++ b/utils/gssd/krb5_util.c +@@ -852,11 +852,19 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *tgtname, + } + + /* +- * Try the "appropriate" realm first, and if nothing found for that +- * realm, try the default realm (if it hasn't already been tried). ++ * Make sure the preferred_realm, which may have been explicitly set ++ * on the command line, is tried first. If nothing is found go on with ++ * the host and local default realm (if that hasn't already been tried). + */ + i = 0; + realm = realmnames[i]; ++ ++ if (strcmp (realm, preferred_realm) != 0) { ++ realm = preferred_realm; ++ /* resetting the realmnames index */ ++ i = -1; ++ } ++ + while (1) { + if (realm == NULL) { + tried_all = 1; +-- +1.8.3.1.487.g3e7a5b4 + diff --git a/0004-nfsiostat-restore-output-format.patch b/0004-nfsiostat-restore-output-format.patch new file mode 100644 index 0000000..51ef2bd --- /dev/null +++ b/0004-nfsiostat-restore-output-format.patch @@ -0,0 +1,69 @@ +From 94642a397d27ea0cfc6d798bc505482023eb5ec1 Mon Sep 17 00:00:00 2001 +From: Weston Andros Adamson +Date: Mon, 1 Jul 2013 12:00:51 -0400 +Subject: [PATCH] nfsiostat: restore output format + +Recent changes to support python 3 changed the output of nfsiostat from: + +read: ops/s kB/s kB/op retrans +avg RTT (ms) avg exe (ms) + 48.094 2889.133 60.072 0 (0.0%) +177.160 184.833 +... + +to: + +read: + ops/s kB/s kB/op retrans avg RTT (ms) avg exe +(ms) + 0.000 + 0.000 + 0.000 + 0 (0.0%) + 0.000 + 0.000 +... + +Signed-off-by: Weston Andros Adamson +Signed-off-by: Steve Dickson +--- + tools/nfs-iostat/nfs-iostat.py | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/tools/nfs-iostat/nfs-iostat.py b/tools/nfs-iostat/nfs-iostat.py +index dfbef87..c035537 100644 +--- a/tools/nfs-iostat/nfs-iostat.py ++++ b/tools/nfs-iostat/nfs-iostat.py +@@ -353,14 +353,14 @@ class DeviceData: + exe_per_op = 0.0 + + op += ':' +- print('%s' % op.lower().ljust(15)) ++ print('%s' % op.lower().ljust(15), end='') + print(' ops/s\t\t kB/s\t\t kB/op\t\tretrans\t\tavg RTT (ms)\tavg exe (ms)') + +- print('\t\t%7.3f' % (ops / sample_time)) +- print('\t%7.3f' % (kilobytes / sample_time)) +- print('\t%7.3f' % kb_per_op) +- print(' %7d (%3.1f%%)' % (retrans, retrans_percent)) +- print('\t%7.3f' % rtt_per_op) ++ print('\t\t%7.3f' % (ops / sample_time), end='') ++ print('\t%7.3f' % (kilobytes / sample_time), end='') ++ print('\t%7.3f' % kb_per_op, end='') ++ print(' %7d (%3.1f%%)' % (retrans, retrans_percent), end='') ++ print('\t%7.3f' % rtt_per_op, end='') + print('\t%7.3f' % exe_per_op) + + def ops(self, sample_time): +@@ -392,7 +392,7 @@ class DeviceData: + print() + + print(' op/s\t\trpc bklog') +- print('%7.2f' % (sends / sample_time)) ++ print('%7.2f' % (sends / sample_time), end='') + print('\t%7.2f' % backlog) + + if which == 0: +-- +1.8.3.1.487.g3e7a5b4 + diff --git a/0005-gssd-don-t-give-up-on-machine-credential-if-hostname.patch b/0005-gssd-don-t-give-up-on-machine-credential-if-hostname.patch new file mode 100644 index 0000000..d693431 --- /dev/null +++ b/0005-gssd-don-t-give-up-on-machine-credential-if-hostname.patch @@ -0,0 +1,48 @@ +From 05e6d39a988e76d5803f79018a9e40d435f6d2f7 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Tue, 2 Jul 2013 08:27:41 -0400 +Subject: [PATCH] gssd: don't give up on machine credential if hostname not + available. + +krb5_util tries various different credential names in order to find +the machine credential, not all of them use the full host name of the +current host. + +So if getting the full host name fails, don't give up completely, +still try the other options. + +Signed-off-by: NeilBrown +Signed-off-by: Steve Dickson +--- + utils/gssd/krb5_util.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c +index abebdcd..a6c7eb0 100644 +--- a/utils/gssd/krb5_util.c ++++ b/utils/gssd/krb5_util.c +@@ -825,8 +825,10 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *tgtname, + myhostad[i+1] = 0; + + retval = get_full_hostname(myhostname, myhostname, sizeof(myhostname)); +- if (retval) +- goto out; ++ if (retval) { ++ /* Don't use myhostname */ ++ myhostname[0] = 0; ++ } + + code = krb5_get_default_realm(context, &default_realm); + if (code) { +@@ -891,6 +893,8 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *tgtname, + myhostad, + NULL); + } else { ++ if (!myhostname[0]) ++ continue; + snprintf(spn, sizeof(spn), "%s/%s@%s", + svcnames[j], myhostname, realm); + code = krb5_build_principal_ext(context, &princ, +-- +1.8.3.1.487.g3e7a5b4 + diff --git a/0006-gssd-fixed-typo-in-machine-cred-name.patch b/0006-gssd-fixed-typo-in-machine-cred-name.patch new file mode 100644 index 0000000..c421348 --- /dev/null +++ b/0006-gssd-fixed-typo-in-machine-cred-name.patch @@ -0,0 +1,31 @@ +From da05b199a60e8a8fa91d4d3734cbbe84b23cff69 Mon Sep 17 00:00:00 2001 +From: Doug Nazar +Date: Tue, 2 Jul 2013 08:45:31 -0400 +Subject: [PATCH] gssd: fixed typo in machine cred name. + +Commit 1c787f14 [gssd: scan for DIR: ccaches, too] changed the default +prefix for the credential cache files. Update the check to ignore the +machine credential file when running with -n (root ignores machine +credentials). + +Signed-off-by: Steve Dickson +--- + utils/gssd/krb5_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c +index a6c7eb0..83b9651 100644 +--- a/utils/gssd/krb5_util.c ++++ b/utils/gssd/krb5_util.c +@@ -231,7 +231,7 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, + continue; + } + if (uid == 0 && !root_uses_machine_creds && +- strstr(namelist[i]->d_name, "_machine_")) { ++ strstr(namelist[i]->d_name, "machine_")) { + printerr(3, "CC '%s' not available to root\n", + statname); + free(namelist[i]); +-- +1.8.3.1.487.g3e7a5b4 + diff --git a/nfs-utils-1.2.7.tar.bz2 b/nfs-utils-1.2.7.tar.bz2 deleted file mode 100644 index 071c8fa..0000000 --- a/nfs-utils-1.2.7.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7ef8e0a8b22cd7ff33f3afd28e770d45643fae303468a180640c2967833fe75e -size 2902130 diff --git a/nfs-utils-1.2.8.tar.bz2 b/nfs-utils-1.2.8.tar.bz2 new file mode 100644 index 0000000..7b4e1fb --- /dev/null +++ b/nfs-utils-1.2.8.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:62ec061e32283699646515f6383cb54d0d88fb223343cec940a2701560b8b404 +size 763630 diff --git a/nfs-utils.changes b/nfs-utils.changes index 3c9b934..c7f47fb 100644 --- a/nfs-utils.changes +++ b/nfs-utils.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon Jul 22 06:12:53 UTC 2013 - nfbrown@suse.com + +- New upstream release 1.2.8 - mostly bugfixes, many to gssd. + No important new functionality +- Changes to ./configure command to remove warnings +- 8 more patches from upstream 'git' to fix non-trivial bugs + including on CVE. + ------------------------------------------------------------------- Mon May 13 15:32:55 UTC 2013 - coolo@suse.com diff --git a/nfs-utils.spec b/nfs-utils.spec index a097b83..3447a55 100644 --- a/nfs-utils.spec +++ b/nfs-utils.spec @@ -35,7 +35,7 @@ Url: http://kernel.org/pub/linux/utils/nfs-utils/ Summary: Support Utilities for Kernel nfsd License: GPL-2.0+ Group: Productivity/Networking/NFS -Version: 1.2.7 +Version: 1.2.8 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: %fillup_prereq %insserv_prereq @@ -57,6 +57,18 @@ Source11: idmapd.conf Source12: start-statd Source13: nfs-utils.rpmlintrc Patch0: nfs-utils-1.0.7-bind-syntax.patch +# PATCH-FIX-UPSTREAM 0001-mountd-Fix-is_subdirectory-again.patch upstream-bugfix nfbrown@suse.de +Patch1: 0001-mountd-Fix-is_subdirectory-again.patch +# PATCH-FIX-UPSTREAM 0002-gssd-Fix-recent-fix-to-Avoid-DNS-reverse-resolution-.patch upstream-bugfix nfbrown@suse.de +Patch2: 0002-gssd-Fix-recent-fix-to-Avoid-DNS-reverse-resolution-.patch +# PATCH-FIX-UPSTREAM 0003-Fix-handling-of-preferred-realm-command-line-option.patch upstream-bugfix nfbrown@suse.de +Patch3: 0003-Fix-handling-of-preferred-realm-command-line-option.patch +# PATCH-FIX-UPSTREAM 0004-nfsiostat-restore-output-format.patch upstream-bugfix nfbrown@suse.de +Patch4: 0004-nfsiostat-restore-output-format.patch +# PATCH-FIX-UPSTREAM 0005-gssd-don-t-give-up-on-machine-credential-if-hostname.patch upstream-bugfix nfbrown@suse.de +Patch5: 0005-gssd-don-t-give-up-on-machine-credential-if-hostname.patch +# PATCH-FIX-UPSTREAM 0006-gssd-fixed-typo-in-machine-cred-name.patch upstream-bugfix nfbrown@suse.de +Patch6: 0006-gssd-fixed-typo-in-machine-cred-name.patch Suggests: python-base %description @@ -107,21 +119,25 @@ This package contains additional NFS documentation. %prep %setup -q -n nfs-utils-%{version} -a 1 %patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 cp %{S:6} . %build rm -f configure; autoreconf -fi CFLAGS="$RPM_OPT_FLAGS -fPIE -fno-strict-aliasing" LDFLAGS="-pie" ./configure \ --mandir=%{_mandir} \ - --disable-rquotad \ --enable-nfsv4 \ --enable-gss \ --enable-ipv6 \ --enable-nfsdcltrack \ --enable-mount \ --enable-libmount-mount \ - --enable-mountconfig \ - --with-krb5=/usr/lib/mit + --enable-mountconfig make cd nfs for i in *.html ; do From 1659d2c52fbf179ccdc8995df393da23e1ac4a825c4d9b32ebed33fb4ce1ab36 Mon Sep 17 00:00:00 2001 From: Neil Brown Date: Mon, 22 Jul 2013 06:50:28 +0000 Subject: [PATCH 2/3] - New sysconfig variables NFS4_SERVER_MINOR_VERSION, GSSD_OPTIONS, NFS_GSSD_AVOID_DNS to enable various configurations. - bug fixes to init scripts to avoid unmounting everything(!) and to avoid corrupting /run/nfs/bind.mounts OBS-URL: https://build.opensuse.org/package/show/Base:System/nfs-utils?expand=0&rev=88 --- nfs-utils.changes | 10 ++++++++++ nfs.init | 29 +++++++++++++++++++---------- nfsserver.init | 15 +++++++++------ sysconfig.nfs | 38 +++++++++++++++++++++++++++++++++++++- 4 files changed, 75 insertions(+), 17 deletions(-) diff --git a/nfs-utils.changes b/nfs-utils.changes index c7f47fb..243de59 100644 --- a/nfs-utils.changes +++ b/nfs-utils.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Jul 22 06:47:57 UTC 2013 - nfbrown@suse.com + +- New sysconfig variables + NFS4_SERVER_MINOR_VERSION, GSSD_OPTIONS, + NFS_GSSD_AVOID_DNS + to enable various configurations. +- bug fixes to init scripts to avoid unmounting everything(!) + and to avoid corrupting /run/nfs/bind.mounts + ------------------------------------------------------------------- Mon Jul 22 06:12:53 UTC 2013 - nfbrown@suse.com diff --git a/nfs.init b/nfs.init index fa7a5fa..26a1465 100644 --- a/nfs.init +++ b/nfs.init @@ -17,7 +17,7 @@ # Required-Stop: $network $portmap # Default-Start: 3 5 # Default-Stop: 0 1 2 6 -# Short-Description: NFS client services +# Short-Description: NFS client services # Description: All necessary services for NFS clients ### END INIT INFO @@ -94,6 +94,15 @@ esac if test -n "$flavors" ; then NEED_GSSD=yes fi +if test -n "$GSSD_OPTIONS"; then + NEED_GSSD=yes +fi + +case $NFS_GSSD_AVOID_DNS in + [Nn]*) ignore_dns=-D ;; + [Yy]*) ignore_dns= ;; + * ) ignore_dns=-D +esac if test "$NFS4_SUPPORT" = yes ; then NEED_IDMAPD=yes @@ -153,7 +162,7 @@ do_start_gssd() { /sbin/modprobe rpcsec_gss_$flavor done mount_rpc_pipefs - startproc $GSSD_BIN + startproc $GSSD_BIN $ignore_dns $GSSD_OPTIONS return $? } @@ -196,7 +205,7 @@ case "$1-$nfs" in modprobe nfs grep -E '^(sunrpc|fs.nfs)' /etc/sysctl.conf | sysctl -q -e -n -p - - # in case we need /usr and/or /opt via nfs + # in case we need /usr and/or /opt via nfs mount_usr # sm-notify @@ -231,10 +240,10 @@ case "$1-$nfs" in # It's sometime usefull to mount NFS devices in # background with an ampersand (&) and a sleep time of # two or more seconds, e.g: - # + # # sleep 2 && mount -at nfs,nfs4 & - # sleep 2 - # + # sleep 2 + # if test -n "$mnt" ; then # If network devices are not yet discovered, mounts # might fail, so we might need to 'udevadm settle' to @@ -268,7 +277,7 @@ case "$1-$nfs" in # kill process to maximise chance that umount succeeds mnt=`awk '$3 ~ /^nfs4*$/ {print $2}' /proc/mounts` runlevel=`runlevel | awk '{print $2}'` - if test "$runlevel" -eq 0 -o "$runlevel" -eq 6; then + if test "$runlevel" -eq 0 -o "$runlevel" -eq 6; then if test -n "$mnt" ; then /sbin/mkill -TERM $mnt fi @@ -293,7 +302,7 @@ case "$1-$nfs" in killproc $IDMAPD_BIN fi rm -f $IDMAPD_CLIENT_STATE - fi + fi # stop rpc.statd if not needed by server if checkproc $STATD_BIN ; then @@ -334,7 +343,7 @@ case "$1-$nfs" in echo "gssd not running" rc_failed 3 fi - # + # if test "$NEED_IDMAPD" = yes && ! checkproc $IDMAPD_BIN; then echo "idmapd not running" rc_failed 3 @@ -354,7 +363,7 @@ case "$1-$nfs" in if checkproc ${GSSD_BIN##*/}; then echo -n " gssd" killproc ${GSSD_BIN##*/} - startproc $GSSD_BIN + startproc $GSSD_BIN $ignore_dns $GSSD_OPTIONS fi if checkproc ${IDMAPD_BIN##*/}; then echo -n " idmapd" diff --git a/nfsserver.init b/nfsserver.init index e3c82e8..2325866 100644 --- a/nfsserver.init +++ b/nfsserver.init @@ -44,7 +44,7 @@ rc_reset # 5 - program is not installed # 6 - program is not configured # 7 - program is not running -# +# # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signalling is not supported) are @@ -108,7 +108,7 @@ nfs4_bind_mounts() { echo "NFS: Is it no longer needed and may cease to work." echo "NFS: Please remove these settings." warned=yes - fi + fi >&2 test -d "$export" || mkdir -p "$export" mount -o bind "$dir" "$export" echo "$dir" "$export" @@ -118,7 +118,7 @@ nfs4_bind_mounts() { nfs4_unbind_mounts() { sort -r -k2 $NFSD_BIND_MOUNTS | while read src mountpoint crap; do - umount -l "$mountpoint" + [ -n "$mountpoint" ] && umount -l "$mountpoint" done > $NFSD_BIND_MOUNTS } @@ -188,6 +188,9 @@ case "$1" in if [ "$NFS4_SUPPORT" != "yes" ]; then VERSION_PARAMS="--no-nfs-version 4" fi + if [ "$NFS4_SERVER_MINOR_VERSION" != "0" ]; then + VERSION_PARAMS="$VERSION_PARAMS -nfs-version 4 -nfs-version 4.$NFS4_SERVER_MINOR_VERSION" + fi if [ -n "$NFSV4LEASETIME" -a -f /proc/fs/nfsd/nfsv4leasetime ]; then echo "$NFSV4LEASETIME" > /proc/fs/nfsd/nfsv4leasetime fi @@ -211,7 +214,7 @@ case "$1" in echo $IDMAPD_BIN > $IDMAPD_SERVER_STATE fi # exportfs - /usr/sbin/exportfs -r + /usr/sbin/exportfs -r # rpc.mountd echo -n " mountd" if [ -n "$MOUNTD_PORT" ] ; then @@ -295,7 +298,7 @@ case "$1" in rc_status -v ;; try-restart) - ## Stop the service and if this succeeds (i.e. the + ## Stop the service and if this succeeds (i.e. the ## service was running before), start it again. $0 status >/dev/null && $0 restart @@ -339,7 +342,7 @@ case "$1" in echo -n " idmapd" checkproc $IDMAPD_BIN rc_status -v - fi + fi echo -n " mountd" checkproc /usr/sbin/rpc.mountd rc_status -v diff --git a/sysconfig.nfs b/sysconfig.nfs index 5fe6312..97b7020 100644 --- a/sysconfig.nfs +++ b/sysconfig.nfs @@ -49,15 +49,28 @@ NFS3_SERVER_SUPPORT="yes" ## Default: yes ## ServiceRestart: nfs nfsserver # -# Enable NFSv4 support (yes/no) +# Enable NFSv4 support (server and/or client) (yes/no) # NFS4_SUPPORT="yes" +## Path: Network/File systems/NFS server +## Description: NFSv4 server minor version +## Type: integer +## Default: 0 +## ServiceRestart: nfsserver +# +# Select NFSv4 minor version for server to support (0, 1). +# If '1' is selected, NFSv4.0 will also be supported. +NFS4_SERVER_MINOR_VERSION="0" + ## Path: Network/File systems/NFS server ## Description: Network Status Monitor options ## Type: string ## Default: "" # +# If a fixed port should be used to send reboot notification +# messages to other systems, that port should be given +# here as "-p portnumber". # SM_NOTIFY_OPTIONS="" @@ -133,6 +146,16 @@ SVCGSSD_OPTIONS="" # -H in a high-availability configuration. NFSD_OPTIONS="" +## Path: Network/File systems/NFS server +## Description: Extra options for gssd +## Type: string +## Default: "" +# +# Normally gssd does not require any options. In some circumstances, +# -n, -l or other options might be useful. See "man 8 rpc.gssd" for +# details. Those options can be set here. +GSSD_OPTIONS="" + ## Path: Network/File systems/NFS server ## Description: Extra options for mountd ## Type: string @@ -142,3 +165,16 @@ NFSD_OPTIONS="" # such as --manage-gids. MOUNTD_OPTIONS="" +## Path: Network/File systems/NFS server +## Description: Avoid DNS lookups for kerberos principal +## Type: yesno +## Default: no +## ServiceRestart: gssd +# +# Avoid DNS lookups when determining kerberos identity +# of NFS server (yes/no) +# "yes" is safest, but "no" might be needed to preserve +# correct behaviour at sites that don't use +# Fully Qualified Domain Names when mounting NFS Shares. +# +NFS_GSSD_AVOID_DNS="no" From d46251b0bc4151381745fe481aadc151c9fc496cb2138761636dad9c421c26db Mon Sep 17 00:00:00 2001 From: Neil Brown Date: Mon, 22 Jul 2013 10:05:50 +0000 Subject: [PATCH 3/3] Updates to correct tar.bz2 . OBS-URL: https://build.opensuse.org/package/show/Base:System/nfs-utils?expand=0&rev=89 --- nfs-utils-1.2.8.tar.bz2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nfs-utils-1.2.8.tar.bz2 b/nfs-utils-1.2.8.tar.bz2 index 7b4e1fb..128db52 100644 --- a/nfs-utils-1.2.8.tar.bz2 +++ b/nfs-utils-1.2.8.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:62ec061e32283699646515f6383cb54d0d88fb223343cec940a2701560b8b404 -size 763630 +oid sha256:1cc8f02a633eddbf0a1d93421f331479c4cdab4c5ab33b8bf8c7c369f9156ac6 +size 2747577